| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Now that the SSL2 client hello support is gone, nothing uses this anymore,
except that a few ports still need SSL2_VERSION.
ok beck
|
|
Use better argument names, add a link to the relevant standards and add
CAVEATS and BUGS sections pointing out a few pitfalls.
discussed with davidben
ok beck
|
|
no overlap. Document that explicitly. Also make it more explicit that
that the caller must work with a copy of out.
ok jsing
|
|
|
|
|
|
|
|
with the help of jmc
|
|
Said bug was fixed in OpenSSL 1.0.0, released 14 years ago. It is of course
unsurprising that you may accidentally increment the refcount if your idiom
for decrementing it is CRYPTO_add(&bio-references, -1, CRYPTO_LOCK_BIO)).
|
|
|
|
It's relevant not only for the example, but also because the functions
documented here use PEM_def_callback(3) by default, and that exhibits
surprising and potentially dangerous behaviour by not NUL-terminating.
OK tb@
|
|
While here, also:
* Avoid the misleading term "default password callback" because none of
the functions in SSL_CTX_use_certificate(3) support overriding it.
* Do not talk about "storing", "writing", and "encryption" since the cb
passed to SSL_CTX_set_default_passwd_cb(3) is never used for any of that.
* List the functions using cb.
* Document what happens by default.
* Remove the misleading words "which must be provided by the application"
because all this is actually optional.
* Make several wordings more precise.
* Below EXAMPLES, fix argument naming to agree with pem_password_cb(3),
clarify the description of what the example does, and, as suggested by tb@,
use strlcpy(3).
OK tb@
|
|
for the various BIO types.
|
|
|
|
|
|
OK tb
|
|
ok ok miod@ ack ack jmc@
|
|
|
|
|
|
Or should we call it a centipede?
Feedback and OK on a previous version from jsing@
and from our chief myriapodologist, tb@.
|
|
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
|
ok jmc@ schwarze@
|
|
|
|
person. Rewrite or use singular they.
ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and
others I'm likely missing on an earlier version.
feedback tj@, feedback and ok jmc@
|
|
ok jmc@ sthen@ millert@
|
|
to match reality.
spotted by/ok jmc
|
|
ok tb@
|
|
If we can provide an EC key that is used, then it is by definition
non-ephemeral.
ok tb@
|
|
ok schwarze@
|
|
|
|
|
|
libssl bump.
|
|
from the OpenSSL 1.1.1 branch, which is still under a free license
|
|
while here, also apply some minor wording improvements
|
|
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.
Again, symbols will appear with tb@'s reptar sized bump..
ok tb@
|
|
pointed out by schwarze
|
|
X509_get_extended_key_usage from OpenSSL. Will be linked to the build
after the bump.
input/lgtm schwarze
|
|
to the build after the bump.
tweak & lgtm schwarze
|
|
plus .Dv NULL, SEE ALSO, HISTORY
|
|
Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.
ok tb@
|
|
stub, written from scratch;
OK tb@ on SSL_set_psk_use_session_callback.3
|
|
OpenSSL 1.1.1 branch, which is still under a free license.
A few tweaks to wording and structure by me.
OK tb@ on SSL_SESSION_is_resumable.3
|
|
from the OpenSSL 1.1.1 branch, which is still under a free license
|
|
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
|
|
leaving only the basic description in the RETURN VALUES section;
tb@ pointed out LibreSSL does not currently provide all those guarantees,
and he also OK'ed this diff
|
|
in particular, this includes new text by Matt Caswell
from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
|
|
|
|
|
|
RFC 5077. Note that session resumption via session tickets is
only for TLSv1.2 and earlier.
prompted by a question by/ok jmc
|
|
|
